[PR #4851] [MERGED] Keep vglusers group unless no3d is used (virtualgl) #5269

New issue

Closed

opened 2026-05-05 10:35:21 -06:00 by gitea-mirror · 0 comments

gitea-mirror commented

2026-05-05 10:35:21 -06:00

Owner

📋 Pull Request Information

Original PR: https://github.com/netblue30/firejail/pull/4851
Author: @kmk3
Created: 1/12/2022
Status: ✅ Merged
Merged: 1/16/2022
Merged by: @netblue30

Base: master ← Head: groups-keep-vglusers

📝 Commits (1)

f329386 Keep vglusers group unless no3d is used (virtualgl)

📊 Changes

2 files changed (+8 additions, -1 deletions)

View changed files

📝 src/firejail/main.c (+6 -1)
📝 src/firejail/util.c (+2 -0)

📄 Description

virtualgl[1] runs chown root:vglusers on /dev/nvidia* and on devices
usually owned by the "render" group[2]. This makes them unavailable in
the sandbox if noroot (which causes groups to be dropped) is used.

Since firejail classifies all of the aforementioned devices as being
DEV_3D on fs_dev.c (which means that they are controlled by no3d),
treat the "vglusers" group the same as the "render" group (by always
keeping "vglusers" unless no3d is used).

See the discussion on #2042 (from this comment[3] onwards).

[1] https://virtualgl.org
[2] 6f0b90be02/server/vglserver_config (L393)
[3] https://github.com/netblue30/firejail/issues/2042#issuecomment-1007468715

Reported-by: @JCallicoat

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/netblue30/firejail/pull/4851 **Author:** [@kmk3](https://github.com/kmk3) **Created:** 1/12/2022 **Status:** ✅ Merged **Merged:** 1/16/2022 **Merged by:** [@netblue30](https://github.com/netblue30) **Base:** `master` ← **Head:** `groups-keep-vglusers` --- ### 📝 Commits (1) - [`f329386`](https://github.com/netblue30/firejail/commit/f3293866936b725d1fe4786efe1774ec5ae22d9c) Keep vglusers group unless no3d is used (virtualgl) ### 📊 Changes **2 files changed** (+8 additions, -1 deletions) <details> <summary>View changed files</summary> 📝 `src/firejail/main.c` (+6 -1) 📝 `src/firejail/util.c` (+2 -0) </details> ### 📄 Description virtualgl[1] runs `chown root:vglusers` on `/dev/nvidia*` and on devices usually owned by the "render" group[2]. This makes them unavailable in the sandbox if `noroot` (which causes groups to be dropped) is used. Since firejail classifies all of the aforementioned devices as being `DEV_3D` on fs_dev.c (which means that they are controlled by `no3d`), treat the "vglusers" group the same as the "render" group (by always keeping "vglusers" unless `no3d` is used). See the discussion on #2042 (from this comment[3] onwards). [1] https://virtualgl.org [2] https://github.com/VirtualGL/virtualgl/blob/6f0b90be02d13171dfdfffb112485f4091a5904f/server/vglserver_config#L393 [3] https://github.com/netblue30/firejail/issues/2042#issuecomment-1007468715 Reported-by: @JCallicoat --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

gitea-mirror

2026-05-05 10:35:21 -06:00

closed this issue
added the
pull-request
label

gitea-mirror referenced this issue

2026-05-05 10:38:27 -06:00

[PR #5315] [MERGED] Add Landlock support to Firejail #5441

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#5269

No description provided.

Rows
Columns